On Monday, August 26, 2019 6:07:30 AM MST mcatanzaro@xxxxxxxxx wrote: > Well the thing is, blocknig ports tends to break applications that want > to use those ports. We're not going to do that, period. It also doesn't > really accomplish anything: either your app or service needs network > access and you have whitelisted it (in which case the firewall provides > no security), or it needs network access and you have not whitelisted > it (in which case your firewall breaks your app/service). In no case > does it increase your security without breaking your app, right? Unless > you have malware installed (in which case, you have bigger problems > than the firewall). Or unless you have a vulnerable network service > installed that you don't want (in which case, uninstall it). > > So if you want to change the firewall settings, you'd need to > completely rethink how the firewall works. And nobody seems interested > in doing that. We could e.g. have a list of apps that are allowed > network access, but then we'd need some form of attestation so apps > can't impersonate each other. So only sandboxed (flatpaked) apps could > use this hypothetical new firewall. And we surely don't want to have > yes/no permission prompts, so we can't really ask the user "do you want > your app to access the network?" (the user will almost always say yes). > I'm not really sure what design would even work. > > Avoiding unnecessary network services makes more sense. > > On Mon, Aug 26, 2019 at 3:45 PM, Alexander Ploumistos > > <alex.ploumistos@xxxxxxxxx> wrote: > > As a matter of fact, you did: > > <https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.o > > rg/thread/3LHDQD5HCZMPV6O4LZRSKTVEIKEFJIBY/#3LHDQD5HCZMPV6O4LZRSKTVEIKEFJI > > BY> > > <https://docs.fedoraproject.org/en-US/Fedora/21/html/Release_Notes/sect-P > > roducts.html#idm225474210784> > Thanks for dredging up these links! > > Michael Wait.. what? Seriously? No, that is not how this works, at all. First, let's go ahead and address the idea that "if the firewall blocks it, the app breaks, so it's the firewall's fault": It's not. If the firewall has not been opened, that just means it can't be accessed by remote systems until you EXPLICITLY open that port, with the correct protocol, on your firewall. That's FINE. That's how it's designed to work. There's nothing wrong with that. This means that the system administrator (or owner, if this is some individual's personal system) must allow the port to be accessed remotely, before the app can be reached remotely, increasing the security of the system. It also prevents one from running software, open to the world, by accident, whether that means piping a script to bash (horrible practice, but people do it daily), badly written scripts, poorly written user software and vulnerabilities in software, to name a few of the things that might bind a port without the user knowing immediately. Also, I hope to God that this configuration is never pushed to a system run on a public network (like McDonalds or Starbucks wifi). Additionally, there's more to firewall config than just "opening ports". While leaving all ports open is a security nightmare, this config looks even worse! -- John M. Harris, Jr. <johnmh@xxxxxxxxxxxxx> Splentity https://splentity.com/ _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
